[20404] in Kerberos_V5_Development
Re: Suggestion of change to certauth plugin interface
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Feb 24 14:35:50 2023
Date: Fri, 24 Feb 2023 13:34:47 -0600
From: Nico Williams <nico@cryptonector.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Message-ID: <Y/kRV0yia8itzZL3@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <202212091216.2B9CGGmE027119@hedwig.cmf.nrl.navy.mil>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, Dec 09, 2022 at 07:16:14AM -0500, Ken Hornstein via krbdev wrote:
> >This wouldn't necessarily require a major API bump, but can you
> >elaborate on what a certauth module would be interested in the
> >configured realm list, and can't build it up as queries come in?
>
> Sure. I talked before that one of my plugins was for doing OCSP
> checking of client certificates for PKINIT. Well, it turns out that
> to do that, you need to build up the complete certificate chain so you
> can check the status of intermediate certificates. To do that, you
> [...]
Wait, why doesn't the KDC furnish the whole chain to the certauth
plugin?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
